Google’s Project Zero finally give companies a 30 days grace period to roll out patches


Level 50
Content Creator
Apr 24, 2016
The release of patches of the recent Hafnium Exchange exploit let to a further massive wave of Exchange server exploits as non-state threat actors reverse-engineered the patches to hack servers for non-political ransomware attacks. It is very often the case that a patch is the first criminal hackers learn of an exploit, and reverse engineering the patch is often a quick and easy way to develop an exploit for those who are still to be unpatched.

It is for this reason that Google’s Project Zero has often attracted a lot of flack since they insist on releasing details of exploits within 90 days, irrespective of whether companies such as Microsoft had enough time to test and roll out a fix.

Today Project Zero announced a new policy which would give companies 30 days to roll out their patch before disclosure, as long as they have actually developed the patch within the usual allotted 90 days, making it 120 days between discovery and disclosure. In cases where companies have not yet released a patch within 90 days disclosure would be at the end of the usual 90 day period.